Cybersecurity Maturity Model Certification
Protecting controlled unclassified information in the defense industrial base
// What is CMMC?
CMMC establishes cybersecurity requirements for organizations in the Defense Industrial Base (DIB) handling Federal Contract Information (FCI) and Controlled Unclassified Information (CUI). The program requires contractors to demonstrate cybersecurity maturity through assessment before receiving certain DoD contracts.
CMMC 2.0, finalized in 2024, streamlined the original five-level model to three levels aligned with existing NIST standards. Level 1 covers basic FCI protection, Level 2 aligns with NIST SP 800-171 for CUI, and Level 3 adds enhanced controls from NIST SP 800-172 for critical programs.
Implementation is phased, with CMMC requirements appearing in solicitations starting in 2025. Contractors must achieve appropriate certification before contract award, making preparation essential for organizations seeking DoD work.
// Inside the Regulation
CMMC 2.0 defines three maturity levels with increasing security requirements. Each level builds on the previous, with controls derived from NIST Special Publications 800-171 and 800-172.
Level 1: Foundational
Basic safeguarding of Federal Contract Information (FCI) based on FAR 52.204-21 requirements. Self-assessment with annual affirmation.
15 Practices
Basic cyber hygiene practices including access control, identification, media protection, physical protection, system protection, and system integrity.
Self-Assessment
Annual self-assessment with affirmation by senior company official. No third-party certification required.
Scope
Applies to contractors handling only FCI (not CUI). Entry point for most small contractors.
Level 2: Advanced
Protection of Controlled Unclassified Information (CUI) aligned with NIST SP 800-171 Rev 2. Requires third-party assessment for most contracts.
110 Practices
Complete implementation of NIST SP 800-171's 110 security requirements across 14 control families.
Assessment Types
Self-assessment for non-prioritized acquisitions; third-party assessment by C3PAO (Certified Third-Party Assessment Organization) for prioritized acquisitions.
Plan of Action & Milestones
Limited POA&Ms allowed for certain requirements with defined timelines for remediation.
Key Control Families
Access Control, Awareness & Training, Audit & Accountability, Configuration Management, Identification & Authentication, Incident Response, Maintenance, Media Protection, Personnel Security, Physical Protection, Risk Assessment, Security Assessment, System & Communications Protection, System & Information Integrity.
Level 3: Expert
Enhanced protection for CUI on critical programs against advanced persistent threats. Government-led assessment required.
110+ Practices
All NIST SP 800-171 requirements plus selected enhanced controls from NIST SP 800-172.
Government Assessment
Assessment conducted by Defense Contract Management Agency (DCMA) Defense Industrial Base Cybersecurity Assessment Center (DIBCAC).
Critical Programs Only
Required only for contractors supporting the most sensitive DoD programs with highest-value CUI.
Note: CMMC builds on existing DFARS 252.204-7012 requirements, which already require NIST SP 800-171 implementation. The key change is mandatory assessment and certification before contract award, rather than self-attestation. Organizations already compliant with 800-171 are well-positioned for CMMC Level 2.
// Who Must Comply
- 1 Prime contractors on DoD contracts involving FCI or CUI
- 2 Subcontractors handling FCI or CUI from DoD contracts
- 3 Defense Industrial Base organizations seeking DoD work
- 4 Manufacturers and suppliers in defense supply chains
- 5 IT service providers supporting DoD contractors
// Key Requirements
Access Control
Limit system access to authorized users, processes, and devices; control CUI flow
Audit & Accountability
Create, protect, and retain system audit logs; review and report on audit events
Configuration Management
Establish and maintain baseline configurations; control and monitor changes
Identification & Authentication
Identify and authenticate users, devices, and processes; implement multi-factor authentication
Incident Response
Establish incident handling capabilities; detect, report, and respond to incidents
System Protection
Monitor, control, and protect communications; implement subnetwork isolation
// Enforcement & Penalties
CMMC non-compliance results in ineligibility for contract award. False claims about compliance status carry severe penalties under the False Claims Act. Organizations misrepresenting CMMC status face potential debarment from federal contracting.
False Claims Act: treble damages + $11,000+ per claim
Examples:
- Contract award denial for insufficient CMMC level
- False Claims Act liability for misrepresenting compliance status
- Contract termination if certification lapses during performance
- Debarment from federal contracting for willful non-compliance
// Cyber Insurance Impact
Cyber insurers serving defense contractors increasingly require evidence of CMMC compliance or readiness. Coverage for CUI breaches may depend on demonstrated compliance with applicable requirements. Some insurers offer specialized DIB policies with CMMC compliance conditions.
// How Breach Craft Helps
We help organizations achieve CMMC compliance through genuine security improvements—not checkbox exercises. Our services address the specific requirements and challenges of CMMC.
Ready to Strengthen Your Defenses?
Schedule a free consultation with our security experts to discuss your organization's needs.
Or call us directly at (445) 273-2873